Is open source the key to secure election infrastructure?

By Derek B. Johnson

May 10, 2019

Open source technology may hold the key to unlocking longstanding challenges around election security.

The voting machines, voter registration systems and other election-related technologies state and local governments rely on are proprietary systems available from a handful of private vendors who have been reluctant to allow third-party audits of their products. When independent researchers have closely examined voting machines or probed commonly used software like voter registration systems, they've found serious cybersecurity vulnerabilities in nearly every model.

That situation has prompted a number of organizations to try to disrupt the status quo. One group, Voting Works, which was created last year in partnership with the non-profit Center for Democracy and Technology (CDT), seeks to build "secure, usable, affordable and open-source voting machines" that will help to restore trust in the modern election system.

At a May 8 House Administration committee hearing, Joseph Lorenzo Hall, chief technologist for CDT, told lawmakers that the goal of Voting Works and organizations like it is to create a foundation of election-related technology that can be used and improved over time through crowdsourced testing.

"We hope that by building things that people can take and use and build on … it will spreads good things rather than keeping things proprietary and keeping things secret," said Hall said.

On May 6, Microsoft unveiled a new free, open-source software development kit in partnership with Galois that can be integrated with the off-the-shelf software used in many current voting machines. According to Tom Burt, corporate vice president for customer security and trust at Microsoft, the software supports best practices such as risk-limiting audits and end-to-end verification processes that allow both voters and third-party organizations to verify election results without disclosing the substance of individual recorded votes. The software development kit will be made available to the public on GitHub under an MIT Open Source License.

Galois also has a $10 million contract with the Defense Advanced Research Project Agency for another secure voting system that relies on open-source hardware and software and draws on previous DARPA security research and design. In line with what experts view as best practice, the software source code will be made available to the public and prototypes will be sent to the annual Def Con Voting Village for hackers to probe and prod for weaknesses, according to Motherboard.

However, it's possible that the push for more open-source products could still face resistance, not only from private vendors but also from states, particularly if the federal government is involved.

"Frankly, I feel like the free market is the one that ought to determine what the availability of that equipment is and what should be purchased and what should not, as long as it meets the standards," Alabama Secretary of State John Merrill told lawmakers. He later clarified that his real objection was to the concept of non-voluntary "universal adoption" by states.

Michigan Secretary of State Jocelyn Benson said she would welcome federal investment into more secure elections infrastructure. "It would need to be a partnership with states and local election officials who have unique things to share into what that infrastructure should look like," she said. "But certainly I could only imagine that it would help our efforts to secure our elections if we had that level of infrastructure support."

Derek B. Johnson is a senior staff writer at FCW, covering governmentwide IT policy, cybersecurity and a range of other federal technology issues.

Prior to joining FCW, Johnson was a freelance technology journalist. His work has appeared in The Washington Post, GoodCall News, Foreign Policy Journal, Washington Technology, Elevation DC, Connection Newspapers and The Maryland Gazette.

Johnson has a Bachelor's degree in journalism from Hofstra University and a Master's degree in public policy from George Mason University. He can be contacted at djohnson@fcw.com, or follow him on Twitter @derekdoestech.